Open
Description
| Wazuh | Splunk | Rev |
|---|---|---|
| 4.3 | 8.2.2 | 4303 |
Description
Performing a single-instance deployment according to this documentation, if the Wazuh app is installed together with Splunk enterprise on CentOS 8 Stream, the form input fields where the credentials, port, and alias must be entered is not displayed
This behavior is not reproduced if the Wazuh app and Splunk enterprise are installed on CentOS 7
Wazuh app does not show form input fields:
Node1 (Vagrant CentOS 7) - Wazuh manager + Splunk forwarder
Node2 (Vagrant CentOS 8 Stream) - Wazuh app + Splunk enterprise
Wazuh app show form input fields:
Node1 (Vagrant CentOS 8 Stream) - Wazuh manager + Splunk forwarder
Node2 (Vagrant CentOS 7) - Wazuh app + Splunk enterprise
Steps to reproduce
- Install Wazuh manager in CentOS 7 (node1)
- Install Splunk enterprise in CentOS 8 Stream (node2)
- Install Splunk forwarder in CentOS 7 (node1)
- Install the Wazuh app in CentOS 8 Stream (node2)
Node1 CentOS 7 commands (192.168.57.102)
(install Wazuh manager in node 1)
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
# cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1
EOF
# yum install -y wazuh-manager
# systemctl start wazuh-manager
(install Splunk enterprise in node 2)
(install Splunk forwarder in node 1)
# yum localinstall splunkforwarder-8.2.2.rpm -y
# curl -so /opt/splunkforwarder/etc/system/local/props.conf https://raw.githubusercontent.com/wazuh/wazuh-splunk/v4.3.0-8.2.2/setup/forwarder/props.conf
# curl -so /opt/splunkforwarder/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh-splunk/v4.3.0-8.2.2/setup/forwarder/inputs.conf
# sed -i "s:MANAGER_HOSTNAME:$(hostname):g" /opt/splunkforwarder/etc/system/local/inputs.conf
# /opt/splunkforwarder/bin/splunk start
# /opt/splunkforwarder/bin/splunk add forward-server 192.168.57.104:1024
# /opt/splunkforwarder/bin/splunk restart
(install Wazuh app in node 2)
Node2 CentOS 8 Stream commands (192.168.57.104)
# yum localinstall splunk-8.2.2.rpm
# curl -so /opt/splunk/etc/system/local/indexes.conf https://raw.githubusercontent.com/wazuh/wazuh-splunk/v4.3.0-8.2.2/setup/indexer/indexes.conf
# curl -so /opt/splunk/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh-splunk/v4.3.0-8.2.2/setup/indexer/inputs.conf
# /opt/splunk/bin/splunk start
(add port in Splunk UI -> e.g. 1024)
# /opt/splunk/bin/splunk restart
(install Splunk forwarder in node 1)
(install the Wazuh app in node 2)
# curl -o SplunkAppForWazuh.tar.gz https://packages-dev.wazuh.com/pre-release/ui/splunk/wazuh_splunk-4.3.0_8.2.2-1.tar.gz
# /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz
# /opt/splunk/bin/splunk restart
(access UI and try to add API credentials)
Regarding the alerts displayed on the health status of Splunk, the following is seen:
Ingestion Latency
Ingestion Latency
Root Cause(s):
Events from tracker.log have not been seen for the last 1440 seconds, which is more than the red threshold (210 seconds). This typically occurs when indexing or forwarding are falling behind or are blocked.
[Generate Diag](http://192.168.57.104:8000/en-US/app/splunk_rapid_diag/task_template_wizard?feature=undefined)?If filing a support case, click here to generate a diag.
Last 50 related messages:
04-20-2022 12:47:13.976 +0000 INFO TailingProcessor [5124 MainTailingThread] - Adding watch on path: /opt/splunk/var/spool/splunk.
04-20-2022 12:47:13.976 +0000 INFO TailingProcessor [5124 MainTailingThread] - Adding watch on path: /opt/splunk/var/run/splunk/search_telemetry.
04-20-2022 12:47:13.976 +0000 INFO TailingProcessor [5124 MainTailingThread] - Adding watch on path: /opt/splunk/var/log/watchdog.
04-20-2022 12:47:13.976 +0000 INFO TailingProcessor [5124 MainTailingThread] - Adding watch on path: /opt/splunk/var/log/splunk.
04-20-2022 12:47:13.976 +0000 INFO TailingProcessor [5124 MainTailingThread] - Adding watch on path: /opt/splunk/var/log/introspection.
04-20-2022 12:47:13.976 +0000 INFO TailingProcessor [5124 MainTailingThread] - Adding watch on path: /opt/splunk/etc/splunk.version.
04-20-2022 12:47:13.976 +0000 INFO TailingProcessor [5124 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/watchdog/watchdog.log*.
04-20-2022 12:47:13.975 +0000 INFO TailingProcessor [5124 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log*.
04-20-2022 12:47:13.975 +0000 INFO TailingProcessor [5124 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log.
04-20-2022 12:47:13.975 +0000 INFO TailingProcessor [5124 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk.
04-20-2022 12:47:13.975 +0000 INFO TailingProcessor [5124 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/introspection.
04-20-2022 12:47:13.975 +0000 INFO TailingProcessor [5124 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/etc/splunk.version.
04-20-2022 12:47:13.975 +0000 INFO TailingProcessor [5124 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk/tracker.log*.
04-20-2022 12:47:13.975 +0000 INFO TailingProcessor [5124 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk/...stash_new.
04-20-2022 12:47:13.974 +0000 INFO TailingProcessor [5124 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk/...stash_hec.
04-20-2022 12:47:13.974 +0000 INFO TailingProcessor [5124 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk.
04-20-2022 12:47:13.974 +0000 INFO TailingProcessor [5124 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json.
04-20-2022 12:47:13.974 +0000 INFO TailingProcessor [5124 MainTailingThread] - TailWatcher initializing...
Disk space
Disk Space
Root Cause(s):
The diskspace remaining=293 has breached the red threshold for filesystems=[/opt/splunk/var/lib/splunk/audit/db]
[Generate Diag](http://192.168.57.104:8000/en-US/app/splunk_rapid_diag/task_template_wizard?feature=disk_space)?If filing a support case, click here to generate a diag.
Last 50 related messages:
04-20-2022 13:11:20.019 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:19.003 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:17.996 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:16.995 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:15.982 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:14.980 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:13.964 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:12.958 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:11.957 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:10.956 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:09.955 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:08.954 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:07.953 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:06.952 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:05.940 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:04.938 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:03.933 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:02.929 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:01.928 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:11:00.923 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:59.903 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:58.899 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:57.897 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:56.891 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:55.889 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:54.887 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:53.886 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:52.885 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:51.883 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:50.883 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:49.883 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:48.882 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:47.881 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:46.877 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:45.875 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:44.875 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:43.874 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:42.874 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:41.873 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:40.870 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:39.868 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:38.868 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:37.867 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:36.867 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:35.866 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:34.866 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:33.865 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:32.865 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:31.864 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
04-20-2022 13:10:30.863 +0000 WARN DiskMon [5076 indexerPipe] - MinFreeSpace=5000. The diskspace remaining=293 is less than 1 x minFreeSpace on /opt/splunk/var/lib/splunk/audit/db
Screenshots
Wazuh app tab in CentOS 8 Stream:
Wazuh app tab in CentOS 7
Regards Raúl.